INSIGHTS, NEWS & DISCOVERIESFROM IOACTIVE RESEARCHERS

Tuesday, January 26, 2016

EKOPARTY
Conference 2015, one of the most important conferences in Latin
America, took place in Buenos Aires three months ago. IOActive and
EKOPARTY hosted the main security competition of about 800 teams
which ran for 32 hours, the EKOPARTY CTF (Capture the Flag).

Teams
from all around the globe demonstrated their skills in a variety of
topics including web application security, reverse engineering,
exploiting, and cryptography. It was a wonderful experience.

If
you haven’t competed before, you may wonder: What are security
competitions all about? Why are they essential for information
security?

Competition, types, and resources

A
security competition takes place in an environment where the
contestants try to find a solution to specific problems through the
systematic application of knowledge. Each problem (or challenge) is
worth a different number of points. The number of points for each
challenge is based on its level of difficulty and the time needed to
reach the solution (or flag).

Security
competitions help people to develop rare skills as it requires the
use of lateral thinking and a low-level technical knowledge of many
topics at once, this is a small list of some of their benefits:

Fun while learning.

Legally prepared environments ready to
be hacked; you are authorized to test the problems.

Recognition and use of multiples paths
to solve a problem.

Understanding of specialized attacks
which are not usually detectable or exploitable by common tools.

Free participation, typically.

Good recruiting tool for information security companies.

You
will find two types of competitions:

CTFs (Capture the Flag) are restricted
by time:

Jeopardy: Problems are distributed in
multiple categories which must be solved separately. The most
common categories are programming, computer and network forensics,
cryptography, reverse engineering, exploiting, web application
security, and mobile security.

Attack - defense: Problems are
distributed across vulnerable services which must be protected on
the defended machine and exploited on remote machines. It is the
kind of competition that provides mostly a vulnerable
infrastructure.

Wargames are not restricted by time and
may have the two subtypes above.

Wednesday, January 6, 2016

Security updates are a common occurrence
once you have installed Drupal. In October 2014, there was a massive defacement attack that effected Drupal users who did not upgrade in the first seven hours
after a security update was released. This means that Drupal updates must be
checked as frequently as possible (even though by default, Drupal checks once a
day).

Just a few days after installing
Drupal v7.39, I noticed there was a security update available: Drupal v7.41.
This new version fixes an open redirect in the Drupal core. In spite of my Drupal
update process checking for updates, according to my local instance, everything
was up to date:

Issue #1: Whenever the Drupal update process fails,
Drupal states that everything is up to date instead of giving a warning.